function ExtendedAddslash(&$params) { foreach ($params as &$var) { // check if $var is an array. If yes, it will start another ExtendedAddslash() function to loop to each key inside. is_array($var) ? ExtendedAddslash($var) : ($var = addslashes($var)); unset($var); } }
<?php //Include the database credentials to connect to mysql database include "DBcredentials.php"; //Prevents sql injection by adding slashes include "../templates/sqlInjection.php"; // Initialize ExtendedAddslash() function for every $_POST variable ExtendedAddslash($_GET); //The two headers inforce that the returned data will parse as json header("Access-Control-Allow-Origin: *"); header("Content-Type: application/json; charset=UTF-8"); //Create a connection to mysql database and select 'whereismymoney' database $conn = new mysqli($db_servername, $db_username, $db_password, $db_name); /* * Get username,start month,start year, end month and end year params from the get request * * $username variable will be used to preform a query based * on the logged user * */ $username = $_GET['username']; $startMonth = $_GET['startMonth']; $startYear = $_GET['startYear']; $endMonth = $_GET['endMonth']; $endYear = $_GET['endYear']; //If there was a problem connecting to database output an error message if ($conn->connect_errno) { die("Failed to connect to MySQL: (" . $conn->connect_errno . ") " . $conn->connect_error); } /* * This query returns the balance of user account (income-outcome)
<?php $message = ""; include "database/DBcredentials.php"; //Prevents sql injection by adding slashes include "sqlInjection.php"; // Initialize ExtendedAddslash() function for every $_POST variable ExtendedAddslash($_POST); //Reset variables $username = ""; $firstname = ""; $lastname = ""; $email = ""; $password = ""; //If submit, get element data to php variables if (!empty($_POST)) { $username = $_POST['username']; $firstname = $_POST['first']; $lastname = $_POST['last']; $email = $_POST['email']; $password = $_POST['password']; $password = md5($password); //connect to database mysql_connect($db_servername, $db_username, $db_password) or die(mysql_error()); mysql_select_db($db_name); // get user info $query = "SELECT * FROM `users` WHERE `username` = '{$username}'"; $sqlsearch = mysql_query($query); $resultcount = mysql_numrows($sqlsearch); //if user exist if ($resultcount > 0) {